risk & regulatory series - rcm - kpmg us llp | kpmg | us · the current regulatory regime (i.e....

Risk & Regulatory Series

ORSA – Next Steps

1© 2015 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG CONFIDENTIAL.

Agenda

I. The first Canadian ORSAs

– Benchmarking ORSA maturity

– Challenges observed in completing and developing the first ORSAs

II. Detailed observations, and the way forward

– Maturity of the first ORSAs

– Development roadmap

– What does better look like?


ORSA Maturity Assessment Canadian Insurers – 2014 reports

Lagging Developing Good Leading

Roles and Responsibilities

Process

Documentation

Risk Strategy and Appetite

Material Risk Assessment

Emerging Risk Assessment

Stress and Scenario Testing/Reverse Stress Testing

Projection of Capital

Capital Assessment

Risk Management System

Use in Decision-Making

Alignment to Business Planning

Worst in Class Average Best in ClassLegend:

Challenges in completing and developing the first ORSAs


Common observed weaknesses and gaps

■ Considerable reliance on standard MCT/MCCSR model

– Need to develop better challenge of standard MCT/MCCSR model

– Limited modelling capabilities demonstrated – so far

– Need to develop validation and verification of models and data

– Operational risk poorly understood, with relatively immature measurements – same for aggregation and diversification

■ How much work do you need to make ORSA capital your “own” view?


Regulatory capital minimums and internal target ratios

■ Supervisory Target Capital Ratios are set above the minimum regulatory capital requirement (i.e. rather than just 100%, MCCSR - Tier 1 105%, Total 150%; MCT - Total 150%) to cover the risks specified in the capital tests as well as provide a margin for other types of risks not included in the tests

■ Insurers are expected to set Internal Target Capital Ratios in excess of the Supervisory Target, and to operate above their internal targets

Supervisory Target (150%)

Internal Target (e.g. 190%)

Actual capital level

Stress testing

Dynamic Capital

Adequacy Testing (DCAT)

Difference enough to cover plausible

adverse conditions

Economic capital

modeling

Strategic and business planning

Budgeting and financial projections

Rating agency

assessments

Supervisory judgments

Transparency of public

disclosures

Risk appetite decisions


Regulatory capital minimums and internal target ratios

■ Supervisory Target Capital Ratios are set above the minimum regulatory capital requirement (i.e. rather than just 100%, MCCSR - Tier 1 105%, Total 150%; MCT - Total 150%) to cover the risks specified in the capital tests as well as provide a margin for other types of risks not included in the tests

■ Insurers are expected to set Internal Target Capital Ratios in excess of the Supervisory Target, and to operate above their internal targets

■ ORSA is now central to these discussions

Supervisory Target (150%)

Internal Target (e.g. 190%)

Actual capital level

Stress testing

Dynamic Capital

Adequacy Testing (DCAT)

Difference enough to cover plausible

adverse conditions

Economic capital

modeling

Strategic and business planning

Budgeting and financial projections

Rating agency

assessments

Supervisory judgments

Transparency of public

disclosures

Risk appetite decisions

ORSA


Internal capital alternatives – maturity spectrum, in the context of ORSA

Rudimentary AverageSome leading

practices Most sophisticatedCapital measurement

• Use of standard MCT/MCCSR, and DCAT to meet annual requirements

• Standard MCT/MCCSR model + DCAT

• Better use of stress testing

• Standard model supplemented by EC and “EC lite” methods

• Stress testing

• Full economic capital model

• Continuous monitoring

• EC used in capital allocation

Who might use?

• Very small and simple insurers

• Small to medium insurers

• Medium to large insurers

• Some larger, more complex insurers

Pros and cons • Simple; “can’t go below regulatory test anyway”

• Is it “own view”?

• Simple; “can’t go below regulatory test anyway”

• Is it “own view”?

• Support for lower Internal Target with OSFI

• Public disclosure plus• Meet expectations of

analysts, rating agencies, regulators

• Better management info

• Greater effort and cost

• Support for lower Internal Target with OSFI

• Public disclosure plus• Meet expectations of

analysts, rating agencies, regulators

• Better management info

• Most effort and cost


Internal capital alternatives – can you support your choice?

Rudimentary AverageSome leading

practicesMost

sophisticatedCapital measurement

• Use of standard MCT/MCCSR, and DCAT to meet annual requirements

• Standard MCT/MCCSR model + DCAT

• Better use of stress testing

• Standard model supplemented by EC and “EC lite” methods

• Stress testing

• Full economic capital model

• Continuous monitoring• EC used in capital

allocation

How would you support for use in an ORSA?

• Acceptance by regulators should be sought in advance

• Internal target ratio reflects conservative judgmental assessment of the organization’s risk profile

• Retrospective analysis of past financial results indicates no surprises or problems

• Qualitative analysis of whether there are indicators of higher risk or risk trending higher

• Acceptance by regulators should be sought in advance

• Internal target ratio reflects conservative judgmental assessment of the organization’s risk profile

• Retrospective analysis of past financial results indicates no surprises or problems

• Qualitative analysis of whether there are indicators of higher risk or risk trending higher

• Some quantitativechallenge of standard model for key risks

• EC approaches for key risks

• Internal target ratio reflects assessment of the organization’s risks

• Key risk indicators are used to monitor key risks and risks trends –particularly for risks where the standard model is used

• Model validation and governance where EC models are used

• Model validation and governance, such as strong internal audit

• Periodic independent reviews

• Key risk indicators are used to monitor key risks and risks trends

• Robust process for identifying and measuring new and emerging risks


Common observed weaknesses and gaps (cont’d)

■ Risk appetite statements

– Incomplete

– Tend to be weak on strategic and reputational risks

– Lack of measurement

■ Poor connectivity to business and strategic planning

■ Risks and internal control assessments

– Too detailed, and too focused on financial reporting

– Lack of linkage of net risks to capital needs


Common observed weaknesses and gaps (cont’d)

■ Improvement in processes for emerging risks needed

– Insurers generally behind other financial institutions

– More sophisticated use of scenario and reverse stress testing

– Consider operational/reputational scenarios

■ Need to develop processes to sustain ORSA - management challenge, validation and verification, and independent reviews

■ Need to develop depth and frequency of board oversight process


Experience Globally – Europe

EIOPA (European Insurance and Occupational Pensions Authority) issued Guidelines on the Forward Looking Assessment of Own Risks (“FLAOR”), based on ORSA principles, in October 2013 which details 25 guidelines providing greater context than previous guidance. The Guidelines on the ORSA / FLAOR apply from January 2014 and regulators throughout the EEA were required to report progress back to EIOPA on 28 February 2015. In summary these are as follows:

■ To establish an ORSA/FLAOR policy.

■ Ensure the administrative, management or supervisory body (AMSB) steers the ORSA/FLAOR process including setting of key assumptions as well as challenge and use of outputs.

■ Perform in 2014 an ORSA/FLAOR assessment based on own view of all risks which reflects the current regulatory regime (i.e. ICA/ICA+ and Solvency I).

In 2015, the requirements move closer to Solvency II standards as follows:

■ Perform an ORSA/FLAOR assessment based on own view of all risks which reflects the current regulatory regime as well as a comparison to the Solvency II requirements.

■ Analysis of the deviation of the risk profile assessment from that implied by the SCR.


Experience Globally – Europe

Challenges being faced by insurers

The greater context provided by EIOPA’s preparatory guidelines also presents challenges that may not have been considered previously, for example:

■ What constitutes continuous compliance with regulatory capital requirements and how to go about evidencing this;

■ How to facilitate the AMSB (“administrative, management or supervisory body”) taking an active role in the development of the ORSA / FLAOR;

■ Dealing with material risks that are not captured by the SCR calculation regardless of whether they are quantifiable or not; and

■ The creation of an AMSB-approved ORSA / FLAOR policy.


Experience Globally – Other jurisdictions

Beyond Europe there has been notable progress around implementing similar ORSA / FLAOR requirements. This progress impacts Groups who need to respond to differing regulatory regimes, and increases supervisory knowledge and expectations on ORSA / FLAOR standards for example:

■ Asia – Singapore, Taiwan and Malaysian regulators developing ORSA / FLAOR standards in line with Solvency II developments;

■ United States – The NAIC ORSA (effective in 2015) is less prescriptive on the role of the Board and there is more flexibility on the capital basis that underpins the assessment – size test exempts smaller insurers, and may have more of a compliance focus;

■ Bermuda – the CISSA and GSSA are broadly consistent with Solvency II requirements; and

■ South Africa and Australia – have introduced ORSA / FLAOR type assessments into their regulatory regimes.

Comments by Area- Maturity of the first ORSAs- Development roadmap- What does better look like?


ORSA summary results – Management

■ In all reports firms referenced the Board playing an active role in steering the ORSA. However, there appeared to be limited evidence of the role performed by Boards in practice. More advanced reports demonstrated the challenge the Board had provided and referenced decisions taken.

■ There was limited discussion of the role of Committees / Senior Management within the ORSA process. More advanced reports reviewed noted the key people involved in the ORSA and their role.

UK Benchmarking Findings (2013)

Roles and responsibilities

Area Canadian Benchmarking Findings (2014)

■ Initial reports often referred to planned board oversight and approvals, but the actual processes and responsibilities were not yet in operation.

■ Limited, general discussion of management roles and oversight.



■ The majority of reports documented the high-level components included within the ORSA process. There is clear development needed in terms of the timing, owners, detail and actual assessment undertaken. Given the ORSA may need to be run on an ad-hoc basis at short notice, the ORSA process needs to demonstrate clearly how the assessment will take place.

■ Several reports aligned the Risk Appetite framework to the triggers for performance of an ad-hoc ORSA. This was considered to be stronger practice and an area of development for other firms.


Process


■ High level documentation of responsibilities and processes. Responsibilities and processes often were not fully thought out. ORSA process was generally not well defined as an operationalized process.

■ In many cases, it is unclear how the planned ORSA processes will be integrated with business and strategic planning.

■ Process and timing expectations for revising or updating an ORSA were typically not well documented. The conditions that would trigger the revision or update were frequently not defined.



■ Few reports contained executive summaries which highlighted clear areas for Board discussion and comment. Given the length of reports this ought to be an area of focus for the future to ensure the core points for decision and understanding are presented.

■ Many reports appeared to have been developed as ‘desk-based’ exercises rather than as part of a broader process. As a result there was no clear ‘story’ of how the Risk, Capital and Business plan aligned and sections appeared siloed.


Documentation


■ Initial reports were incomplete in many respects and often did not show a clear overall assessment statement in the executive summary or the body of the report.

■ Initial ORSAs typically did not show evidence that they are part of an operationalized process rather than a “desk based” exercise.

■ Use of a multi year development roadmap is a leading practice.


ORSA summary results – Risk-based Decisions

■ Many reports contained largely static information on the Risk Management System (RMS) explaining the processes followed and key components. Stronger reports indicated key areas of change within the RMS, whilst static information was consigned to the supporting documentation.

■ Few reports demonstrated a review of the RMS taking place with consideration for changes needed as a result. More mature reports provided a summary of the weaknesses in the RMS which were being addressed.


Risk Management

System


■ Commonly, the description of the risk management system is narrative and static, and does not describe monitoring, current state of controls and net risks. A leading practice would be to develop monitoring and reporting processes that are at a level that is usable in ORSA process and oversight.


ORSA Development RoadmapRoles, Process, Documentation and System

. ■ Continue Board education and the development of detail, depth and frequency of the Board oversight process

■ Firms need to develop the management and board routines around ongoing monitoring of ORSA, and a “production environment” risk management system: Key metrics reporting Relationship to ongoing stress testing Risk monitoring, risk appetite, emerging

risks Development of supporting systems Frequency, format and documentation Responsibility for management and board

oversight Approach to validation and verification


Designing and embedding an ORSA within the business

■ Risk monitoring

■ Risk identification

■ Statutory capital calculation

Risk identification

■ Current qualitative risk profile

■ Current quantitative risk profile

■ Strategy and business plan

■ Base scenario Risk projection ■ Projected risk profile

■ Risk scenarios

■ Strategic risk identification Stress and scenario testing

■ Overview impact stress testing

■ Strategy and business plan

■ Base scenario

■ Risk appetite Risk analysis

■ Analysis of the current and projected risk profile in relation to the business plan (strategic objectives, financial plan and risk appetite)

1. Inputs 3. Outputs2. ORSA process steps key activates

Functions/activitiesRisk, Finance (incl. actuarial), Operations (incl. strategy), Boards/Committees

StakeholdersBoard/Committees, External stakeholders, Business functions

ORSA Report

ORSA and business planning are strongly aligned: The ORSA process needs input from the business planning process and vice versa■ The process should be embedded in business as usual (BAU)■ The process generates input from business as usual activities across operations, finance and risk management■ The outputs of the ORSA, together with a reference to or a summary of the inputs, are captured in the ORSA report


What does “better” look like?Roles, Process, Documentation and System

“Better practices” observed:

Oversight

■ Separate board risk committee with appropriate mandate, or mandate and operations for risk oversight clearly and separately documented (eg. In an “audit and risk committee”)

■ Executive risk committee

■ Improved BOD and senior management engagement – training, scheduling of focused attention to risk issues

Reporting and monitoring

■ Continuous monitoring - quarterly at least

■ Risk dashboard reporting

■ Key metrics, drawing on KMR metrics as a starting point

■ Trigger points for when you should consider refreshing ORSA ahead of the usual annual cycle

Policies for independent validation and verification

■ Internal audit mandate reflects risk as an important focus area; policy for 3rd party reviews


ORSA summary results – Risk Strategy and Appetite

■ Although most firms had Risk Appetite statements, there was typically less evidence of more granular limit frameworks with approved tolerances within which the business could manage risk.

■ In several reports Risk Appetites were not clearly aligned to the material risk exposures, suggesting a lack of embedding within the business. This meant the report did not evidence a clear comparison between the Appetite and Risk Profile.


Risk Strategy and

Appetite


■ Risk appetite statements were fairly rudimentary in most cases, stopping at total enterprise measures, focusing on capital preservation and income volatility. Many elements expressed only in qualitative terms.

■ RAS frequently incomplete and tended to be weak on strategic and operational risks

■ RAS typically not disaggregated and linked to how risk would be managed at the business unit level, e.g. RAS at a BU level, with linkages to business limits that could be communicated to and acted on by individual managers.


ORSA Development RoadmapImproving Risk Strategy and Appetite

■ Risk appetite statements generally need some work! More quantitative measures/limits For “zero tolerance” statements, relate to how

you would monitor compliance Consider how you would describe your risk

profile – should correspond to RAS■ Risk appetite needs to relevant to how the business

is managed and how it is governed Requires the RAS to be specific to the business

units, with business limits that can be communicated to and acted on by BU managers.

RAS should be integral part of both the ORSA and the strategic plan


Business strategy

Align

Operational level limit frameworks (Insurance,

Market, Creditand Operational Risk)

Statements Tolerance and limits

Risk appetite

Risk appetite governance■ Approval and delegation■ Independent review and challenge■ Testing and maintenance■ Escalation

Inform

MonitorPerformance management and

risk profile monitoring

Individual performance objectives

Performance management framework

Current risk profile, forecast, and trend analysis

Inform

Divisions and Business Units

Cascade toBusinesses

Strategy and

targets

Planning

Stress testing

CAPITAL

LIQUIDITY

What does “better” look like? How risk appetite fits into ORSA


What does “better” look like?Improving Risk Strategy and Appetite

Example risk appetite statements and structure:Risk appetite statement Risk tolerance limit Key risk

indicatorsBusiness unit level

Totalenterprise

Capital - The company will maintain equity at a level sufficient to provide a high level of confidence of meeting customer obligations while targeting an acceptable return to shareholders over time.

Regulatory capital ratio will be maintained at a target ratio of xx% or higher.

• Monitor capital ratios and trending

• DCAT and stress testing

[Allocation of capital ($ amount or capitalratio) to business units]• BU A xxx%• BU B xxx%• Etc.

Capital will be maintained at a margin of xxx% over ORSA required capital

• Monitor capital ratios and trending

• DCAT and stress testing

[Allocation of capital ($ amount or capital ratio) to business units]

Totalenterprise

Earnings – The company will accept moderate short term variability of income in order to achieve superior rates of return on equity over time.

Quarterly earnings of at least 25% of plan, and fiscal year earnings of at least 75% of plan.

[Allocate to business units with separate P&Ls]


What does “better” look like?Improving Risk Strategy and Appetite

Example risk appetite statements and structure:

Risk appetite statement Risk tolerance limit

Key risk indicators

Business unit level

Operational Outsourcing - Outsourced processes will be subject to outsourcing best practices such as those set out in OSFI Outsourcing Guideline B-10.

Compliance with outsourcer service level agreements is to be monitored and any gaps remediated on a timely basis.

• Trending in reported exceptions

• Service level metrics vs. SLA standards

Operational IT security – The company will mitigate information security risks to achieve a high level of protection of customer personal information, and of proprietary information.

(commonly n/a, a “zero tolerance” item)

• Attempted penetrations, security breaches

Insurance Underwriting – The company will accept new business risks of market average quality, priced for a ROC in line with the strategic plan.

New policies written will have an average portfolio rating of x.New products and product repricing will require a minimum ROC of x%.

• Mix of standard vs sub-standard applications

• Close to quote ratio

• Use of either group or BU tolerancelimits

• Monitor KRIs in business units


ORSA summary results – Risk Assessment

■ When considering the current risk profile, firms tended to focus on financial risks (core ICA risk components), which led to them overlooking other non-financial risks required under the ORSA e.g. conduct and strategic risks.

■ In many reports the risk assessment process did not appear to align to the setting of the overall business plan.


Material Risk Assessment


■ High level risk assessments typically focus on capital preservation and income volatility, together with some “zero tolerance” limits for reputational and compliance risks.

■ Discussion of strategic risks is limited in most cases.

■ Risks and internal control assessments- Often not done by smaller

companies - Can be too detailed, and/or too

focused on financial reporting- Lack of linkage of net risks to

capital needs


ORSA Development RoadmapImproving Risk Assessment

■ Material risk assessments are typically too focused on financial reporting, ignore unmodelled risks

■ Operational risk understanding and data is generally minimal; framework should include elements of: Internal loss data collection Key Risk Indicators as a monitoring tool Operational risk taxonomy Business environment internal control

factors Risk and control self assessments


What does “better” look like?Improving Risk Assessment


■ Taking a qualitative assessment of net risks and linking to a quantitative determination of capital needs requires both “art” and “science”

– Many first ORSAs used a “top down” or total enterprise approach to identifying key risks, but a “bottom up” view can create a fuller picture

– Expert judgment required

– Intelligent use of scenario analysis

■ Challenge MCT/MCCSR with scenarios

■ Analyze and cost out specific scenarios for unmodelled risks – e.g. data loss or security breaches

■ Consider risk of failure of controls/mitigants

■ Approaches to operational risk

– Modelling without loss data?

– Monitoring qualitative assessments of op risks with KRIs


What does “better” look like?Improving Risk Assessment

Top Down Approach Bottom Up Approach

■ For example, product design determines risk exposure

■ Stress and sensitivity testing yields key risks are and approximate magnitude

■ Ensure that the key drivers are captured.

■ Results will be limited to the drivers selected.

■ How risks relate:■ Within a portfolio■ Across the

company■ Across

jurisdictions

Risk Focus Relevant Risk Drivers

Interaction of Risks


Operational Risk – Regulatory Guidance

DATE SOURCE PUBLICATION

Superceded OSFI Sound business and financial practices framework for life insurers. Proposed but not introduced for P&C insurance.

May 2006 OSFI Corporate Governance at TSA (The Standardized Approach) & AMA (Advanced Measurement Approach) Institutions

Ongoing development

Solvency II QIS models for measuring capital required, including specific amounts for operational risk

June 2011 BCBS Principles for the Sound Management of Operational Risk

June 2011 BCBS Operational Risk - Supervisory Guidelines for the Advanced Measurement Approaches

August 2011 OSFI Memo to Banks referencing BCBS - Principles for the Sound Management of Operational Risk: “OSFI believes that the principles outlined in the 2011 paper establish sound practices that are relevant to all deposit-taking institutions, and expects institutions to take account of the nature, size, complexity and risk profile of their activities when assessing their practices against the updated principles in the Principles paper in the course of normal compliance reviews. Institutions should develop a plan to remedy any deficiencies that come to light during their assessments.”

September 2012 OSFI OSFI issued Life Insurance Regulatory Framework, indicating that future life insurance capital requirements will be introduced that include specific margins for operational risk.

Summer 2015 OSFI Draft guidance expected


Some Examples of Common, But Usually Unreported Operational Risk Events

LOSS CATEGORY DESCRIPTION

Theft and Fraud • Fraudulent claims – fabricated events by fraud rings; exaggerated claims.• Unreported deaths for annuities and pensions.• Jumbo commissions on fraudulent life policies.

Unauthorised Activity • Internal collusion with external claims or other service providers.

Suitability, Disclosure and Fiduciary

• Failure to comply with training and sales practices requirements by sales force.• Failure to provide adequate selection and oversight of sales force.

Clients, Products and Business Practices

• Failure to apply underwriting or claims settlement standards.• Over-rides of underwriting or claims settlement standards.

Clients, Products and Business Practices

• Errors in product design or pricing.

System Failures • Interface errors between billing and receivable systems.• System configuration errors affecting complex computations.• Loss of data.


Monitoring Operational Risk Indicators

Purpose of Key Risk Indicators Factors that may provide early warning

signals on systems, processes, products, people and the broader environment.

Scorecard format facilitates easy identification of areas potentially posing increased levels of risk.

Can be structured to provide forward looking and historic based metrics.

Relies upon observable data as opposed to estimates of future activities (as is normally used in risk assessments) to produce a timely representation of the level of risk.

When combined with risk assessment and loss data gathering results, the cumulative information can provide a comprehensive profile of operational risk.

Application of Key Risk Indicators Risk areas to be monitored selected and

relevant KRIs identified. (Identification of KRIs with close correlation to actual exposure can only be determined over time.)

Initially, normally a generic series of indicators developed that are applicable across the organization.

Thresholds for each KRI developed to allow priority areas to be identified.

Thresholds can be set at business line and organizational level.

Comparison to loss data increases transparency.

The collection and collation of KRIs will require the design and implementation of supporting processes.


Monitoring Operational Risk Indicators – Examples

Some Examples of insurance KRIs New business application –

acceptance and rejection rates ; mix of standard vs. substandard risks submitted and accepted

Claims adjuster statistics – number of claims handled, average costs

Open claims inventory/backlog/new claims opened statistics

Claims experience vs. expected Reopened claims files Customer complaint statistics

Effectiveness of Key Risk Indicators Distinction between predictive,

preventive and detective indicators –you need all, but...

Recent example – public scandal over retiree benefits fraud at Long Island Railroad; for several years, a very high percentage of retirees retired, often early, claiming disability benefits – long after these statistics were observed, losses had accumulated to $1B


ORSA summary results – Emerging Risk Assessment

■ When considering emerging risks, firms tended to concentrate on upcoming regulatory changes e.g. FCA/PRA and EMIR. Reports which evidenced a process for assessing emerging risks often considered these in isolation to other risks and hence did not manage to evidence relevance to the risks faced by the firm. Few reports evidenced well developed processes for the identification and management of emerging risk.


Emerging Risk

Assessment


■ Limited treatment of emerging risks, or processes and responsibilities for identifying and monitoring emerging risks.

■ Insurers generally behind other financial institutions.


ORSA Development RoadmapImproving Emerging Risk Assessment

■ Emerging risk processes are mostly “ad hoc” and without quantitative analysis; other parts of the financial services industry seem to be more developed More board challenge and leadership Quantify possible exposures through scenario

analysis and stress testing Enable and expand on the use of scenario and

reverse stress testing to assess emerging/evolving risks

Scenario analysis can help develop the capability to respond to unexpected stress events -including events different from the scenarios


What does “better” look like?Improving Emerging Risk Assessment


■ Broad involvement

– Board and board risk committee can play a key role in constructive challenge

– Broad management involvement – risk function, senior management and business level execs

■ Process and monitoring

– Use of outside facilitation, but not always the same source, and a variety of outside inputs

– ‘Making it real’ – incorporating case studies, dry runs, war games

– Continuous monitoring – quarterly written reporting of emergent risks and changes in their status

– Most emerging risk processes were observed to be qualitative

■ quantitative stress and scenario testing promotes understanding of stress events and planning for resilience

■ reverse stress testing may help identify emerging risks, or re-evaluate their likelihood


ORSA summary results – Capital

■ Few reports demonstrated consideration of Reverse Stress Testing. In those instances where Reverse Stress Testing was considered, focus was given to the scenarios that caused the business to fail rather than the management actions to prevent it. Furthermore, the metrics and calibrations used to define business model failure from those firms that had conducted Reverse Stress Testing exercises varied significantly.

■ Whilst several reports evidenced useful results around stress testing there was limited consideration of management actions and unclear alignment of stresses to the business plan.


Stress and Scenario Testing (SST),

Reverse Stress Testing (RST)


■ Common to reference “enhanced” use of SST in the ORSA, particularly where no EC model is in place, although nature of enhancements are often unclear. In some cases, ORSA plans include more severe stress scenarios, more rigorous use of stochastic modelling for some scenarios.

■ Little or no use or planned use of reverse stress testing observed.


ORSA Development RoadmapImproving Stress Testing

.■ Stress testing should go far enough to test the

parameters that would breach capital requirements and management actions should be specific to the firm, not generic

■ Ensure alignment of stresses to development of the business plan, and development of management actions.

■ Consider expanded use of reverse stress tests including additional definition of metrics and calibrations used in creating the tests along with management mitigating management actions to prevent business failure.

■ Expect greater use of stochastic approaches vs. deterministic stress testing.



■ Overall Stress and Scenario Testing and Projection of Capital were noted areas of weakness for firms. Several firms referenced developments ongoing and cited a lack of production capability as the rationale.


Projection of capital


■ DCAT and stress testing conducted under previous regulatory requirements provide a reasonable starting point for capital projection.

■ Existence of a working EC model is a minority practice (approx15-20% of larger companies). Currently, cycle time limits its use in a production environment.

■ In addition, there is some partial use of EC-like models as a challenge for aspects of the standard capital model. Some described their EC or “ORSA capital” model as the standard model reflecting target ratios with some add-ons, but not a truly separate model.

■ Limited understanding of operational risk and diversification; common practice was to use proposed OSFI QIS models as a proxy.


ORSA Development RoadmapImproving Projection of Capital

■ Reducing reliance on the standard regulatory capital model (MCCSR and MCT) through more rigorous challenges of the standard model, and testing with alternate approaches for principal risks.

■ Effort to analyse and measure unmodelled risks.■ Ability to move beyond DCAT, and an understanding

of requirements for Economic Capital modelling.■ Develop an understanding of appropriate use of

stochastic modelling, and approaches to operational risk, risk aggregation and diversification.


What does “better” look like?Improving Projection of Capital and Stress Testing

Relevant Risk Drivers

Use of Outputs

Model Design

Model Controls

Aggregation of Risks

Stress and scenario testing for all companies

Full EC models for products with options and guarantees.

Consider the amount of data history when calibrating risk drivers.

Volatility of risk drivers

No established methodology Solvency II/ QIS correlations Expert judgment Technical solutions

Strategy Business planning Pricing Feedback for future

ORSAs

Reasonability checks when modelling is new –importance of risk assessment

Comparison to DCAT, QIS, Reserves


Example “lite” models – Method Comparison

Stress-based approach Curve fitting Replicating Portfolio LSMC

Calibration effort Low Medium High Medium/high

Market risk coverage Low Medium Medium/high Medium

Non-market risk coverage Low Medium Low

Low ( depends on ability to generate real-world scenarios)

Ability to validate Low Medium High Medium

Projection ability Low Medium Medium High

In-house expertise required

Low level of expertise required Medium/high High High

Senior management understanding Easy to explain Relatively easy to

explain Harder to explain Hard to explain


Model Governance

Capital modeling in the past Future requirements“Skunk works” or R&D environment “Production” environment, faster and more

frequent reporting

Informal/piecemeal approach to developing and maintaining models – and adjusting results

Systematic, controlled approach to developing, maintaining and operating EC models

Irregular, limited validation of model Ongoing validation and challenge of the model

Irregular, limited validation of data Disciplined approach to validating and analyzing appropriateness of data, continuous basis

“Black box” level understanding of models by management – outputs

Management responsibility for understanding and suitability of all aspects

EC not part of key management metrics and processes – limited regulatory use

Management able to meet a “use test” for EC as a condition of regulatory use


Capital model challenges

■ Cost and complexity

■ Skepticism about:

– Complex models

– Poorly understood models

– Over-simplified approaches

– Volatility, surprises, inaccuracies

– Subjective/hard to measure items; eg. operational risk

■ Data – availability, accuracy, suitability

■ Lack of validation


Capital model challenges, cont’d

■ Disconnect between EC and regulatory capital; tendency to manage to regulatory capital where it is the constraint

■ Some risks dominate the EC agenda – can result in under-development in “less important” areas

■ Embedding risk and capital management in management and governance of the enterprise:

– Broadening common understanding of risk concepts

– EC commonly centrally measured, monitored and managed; need to push down to business areas over time

– Meeting the “use test”

– Alignment of EC with objectives, compensation


Key components of an enterprise wide stress testing program

Methodology and

Framework

Capital and Liquidity

Assessment and

Management Reporting

Systems and

Infrastructure

Governance and Control

Selection and calibration of macroeconomic scenarios.

Best in class stress testing approach. Compliance with regulatory

requirements. Integrated impairment, capital and

liquidity management framework. Stress testing qualitative inputs

Sensitivity and scenario analysis. Capital, liquidity and impairment

assessment Monitoring of loss mitigation actions. Internal and external regulatory reporting. Monitor key performance indicators

(KPIs)

Single platform for scenario execution across different risk types.

The infrastructure should be able to aggregate risk results.

Strategic data platform to integrate data from different data sources.

Senior management engagement and ownership .

Governance framework to review stress testing methodology and results.

Ensure results of stress testing influence strategic initiatives and board discussions.

Stress testing subject matter expertise.



■ Many firms used their current ICA (individual capital assessment) as a basis to populate the capital section of their report. A clear area of development is to utilise Solvency II numbers and broaden out risk quantification further.

■ Firms with more mature capital sections presented a view on both the quantity and quality of own funds, including the composition and tiering of capital and debt.


Capital Assessment


■ Limited discussion of quality of capital and access to new capital observed.

■ In groups, discussion of fungibilityof capital was also limited, either across legal entities or jurisdictions.


ORSA Development RoadmapImproving Capital Assessment

.

■ More consideration of: quality of capital access to additional capital in the face of

growth or stress events■ For complex organizations, better analysis and

planning around fungibility of capital – i.e. ability to transfer capital freely between different subsidiaries and jurisdictions.


What does “better” look like?Improving Capital Assessment


■ Explicitly address the sources and quality of existing capital and opportunities for new capital if required

■ Analysis of fungibility of capital in more complex groups

– Address capital constraints between group legal entities, such as regulatory approvals required, particularly where different regulators apply, or where there are differing ownership interests

– Specifically address effect of stress scenarios at a specific entity level and at the group level



■ Several reports indicated how the ORSA would be used in future decision making processes. However, there was limited evidence of how the results of the Risk and Capital frameworks had been used in business decision making during the course of the year.

■ Mature reports presented decisions for consideration by the Board and were aligned to the latest Business Plan. This demonstrated the role of the Board and key elements of the report for consideration.


Use in Decision Making


■ Embedding of ORSA in business decisions could not be observed in most cases, but in some cases was discussed in the ORSA description of risk management processes.



■ Few reports demonstrated a clear alignment to the Business Planning process. ORSAs appeared to be run in isolation, or following the Business Planning process. This limited the challenge that Boards can raise and validity of the ORSA results.

■ Reports incorporating the anticipated changes to the business profile through implementation of the business and the projected Risk Profile associated with this were limited in number but at the stronger end of the spectrum.


Alignment to Business Planning


■ As expected, consistency and linkages of the ORSA process and results with the risk management, strategic, business and capital planning processes were extremely limited.

■ In many cases, it was unclear how the planned ORSA processes will be integrated with business and strategic planning.

■ A leading practice is to clearly align the development and review of ORSA with these processes, and embed a documented risk assessment in business decisions.


ORSA Development RoadmapEmbedding in Decision Making and Planning

■ Synchronize the ORSA cycle with reviews of other decisions and monitoring processes Timetable for risk appetite, strategic planning,

capital and business planning Make ORSA review a building block – reflect

the logical dependencies■ Require documented consideration of risk in

business decisions.


1 PlanGain an understanding

and agreement regarding the scope and objectives

of the ORSA

3 Policy designDesign an ORSA policy

6 ReportingDevelop reporting

standards and define a reporting process

5 Documentation /output

Determine documentation standards and

document the ORSA policy and the ORSA process

(including ORSA outputs)

Overview of one approach to planning the approach to the ORSA

4 ProcessDevelop an effective and robust

ORSA process and define regular ORSA outputs

The band represents the

replay of the whole ORSA cycle

Policy design

Plan

Reporting

ProcessDocument-

ation/Outputs

2 AssessmentEvaluate the required

efforts and perform a gap analysis

Assess-ment

7 ReviewReview of all ORSA

components (also the design of the ORSA policy) and

improve them if necessary within the next run

Review

No changeof ORSA

requirements


Illustrative example of high level ORSA process BAU timeline

Month 1 2 3 4 5 6 7 8 9 10 11 12

Business planning/strategy

Risk and capital management

Risk strategy/appetite

Material risk assessment (‘Risk identification’, ‘stress and scenario testing’)

Forecasting(‘Risk projection’)

Economic Capital(‘Risk projection’)

Risk Analysis

Capital Allocation

Reporting

Boards and committees

Governance

¼ Monitor

¼ Monitor

¼ Monitor

¼ Monitor

Annual process

Update

QRT

RMC RMC RMC Board RMC

Independent review and challenge

ORSA lite

ORSA lite

QRT ORSA lite

QRT Annual ORSA

QRT

SFCRRSR


The (largely separate!) processes in 2014

Typical business as usual (BAU) reporting and planning cycle

Typical 2014 ORSA development process Last year? Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Projectplan, workshops

Project plan

Assess and retrofit existing policies and reports

Quant analysis of capital

Review and redraft

Final ORSA

Gap analysis

Board input

Develop “missing pieces” Drafting of ORSA report

External review Board approval

File KMR

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Finance YE reports

Q1 reports

Q2 reports

Q3 reports

Actuarial YE reports

Q1 reports

Stress tests Q2 reports

Q3 reports

DCAT

Budget &planning

Strategic planning

Board oversight


What does “better” look like?Embedding risk and ORSA in BAU processes

Regular risk reporting aligned with the reporting cycle Develop a dashboard to facilitate continuous reporting and monitoring Align risk reviews and the completion of ORSA with strategic and business planning cycle

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Finance YE reports

Q1 reports

Q2 reports

Q3 reports

Actuarial YE reports

Q1 reports

Stress tests Q2 reports

DCAT Q3 reports

Risk monitoring

Q4 risk and capitalreports




ORSA reporting

Update risk appetite, risk assessment, projections

Updated ORSA

Board approval

File KMR

Budget &planning

Strategic planning

Board oversight

Board education on risk and capital


Other Presentations

The other presentations that were presented as part of the Risk and Regulatory series are:

■ IFRS 9 Classification, Measurement and Impairment (Insurance Sector): Initial Considerations

■ The New World of Cyber Resiliency

■ Market Conduct

■ Regulatory Compliance Management


Neil ParkinsonPartnerNational Insurance Sector LeaderT: +1 416-777-3906E: [email protected]

Elizabeth MurphyPartnerRisk Management AdvisoryT: +1 416-777-8279E: [email protected]

Marilyn DunnillSenior ManagerRisk Management AdvisoryT: +1 416-777-8530E: [email protected]

Presenters

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

© 2015 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.

risk & regulatory series - rcm - kpmg us llp | kpmg | us · the current regulatory regime (i.e....

Documents